Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.4:ARM
postfix
postfix-3.5-patch20
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File postfix-3.5-patch20 of Package postfix
diff -ur --new-file /var/tmp/postfix-3.5.19/html/lmtp.8.html ./html/lmtp.8.html --- /var/tmp/postfix-3.5.19/html/lmtp.8.html 2021-01-16 18:19:54.000000000 -0500 +++ ./html/lmtp.8.html 2023-06-05 11:24:57.000000000 -0400 @@ -663,6 +663,15 @@ A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> + Optional configuration file with baseline OpenSSL settings. + + <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b> + The application name passed by Postfix to OpenSSL library ini- + tialization functions. + <b>OBSOLETE STARTTLS CONTROLS</b> The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff -ur --new-file /var/tmp/postfix-3.5.19/html/postconf.5.html ./html/postconf.5.html --- /var/tmp/postfix-3.5.19/html/postconf.5.html 2021-01-17 10:10:20.000000000 -0500 +++ ./html/postconf.5.html 2023-06-05 16:58:29.000000000 -0400 @@ -15046,6 +15046,22 @@ </DD> +<DT><b><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> +(default: Postfix ≥ 3.9: yes)</b></DT><DD> + +<p> Disconnect remote SMTP clients that violate <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321) +command pipelining constraints. The server replies with "554 5.5.0 +Error: SMTP protocol synchronization" and logs the unexpected remote +SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes" +to enable. This feature is enabled by default with Postfix ≥ +3.9. </p> + +<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. </p> + + +</DD> + <DT><b><a name="smtpd_forbidden_commands">smtpd_forbidden_commands</a> (default: CONNECT, GET, POST)</b></DT><DD> @@ -18371,6 +18387,113 @@ </DD> +<DT><b><a name="tls_config_file">tls_config_file</a> +(default: default)</b></DT><DD> + +<p> Optional configuration file with baseline OpenSSL settings. +OpenSSL loads any SSL settings found in the configuration file for +the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the +built-in application name "openssl_conf" when no application name is +specified, or no corresponding configuration section is present. +</p> + +<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including +Postfix) can neither specify an alternative configuration file, nor +avoid loading the default configuration file. </p> + +<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of: +</p> + +<dl> + +<dt> <b>default</b> (default) </dt> <dd> Load the system-wide +"openssl.cnf" configuration file. </dd> + +<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt> +<dd> This setting disables loading of the system-wide "openssl.cnf" +file. </dd> + +<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt> +<dd> Load the configuration file specified by <i>/absolute-path</i>. +With this setting it is an error for the file to not contain any +settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>. There is no fallback to +the default "openssl_conf" name. </dd> + +</dl> + +<p> Failures in processing of the built-in default configuration file, +are silently ignored. Any errors in loading a non-default configuration +file are detected by Postfix, and cause TLS support to be disabled. +</p> + +<p> The OpenSSL configuration file format is not documented here, +beyond giving two examples. <p> + +<p> Example: Default settings for all applications. </p> + +<blockquote> +<pre> +# The name 'openssl_conf' is the default application name +# The section name to the right of the '=' sign is arbitrary, +# any name will do, so long as it refers to the desired section. +# +# The name 'system_default' selects the settings applied internally +# by the SSL library as part of SSL object creation. Applications +# can then apply any additional settings of their choice. +# +# In this example, TLS versions prior to 1.2 are disabled by default. +# +openssl_conf = system_wide_settings +[system_wide_settings] +ssl_conf = ssl_library_settings +[ssl_library_settings] +system_default = initial_ssl_settings +[initial_ssl_settings] +MinProtocol = TLSv1.2 +</pre> +</blockquote> + +<p> Example: Custom settings for an application named "postfix". </p> + +<blockquote> +<pre> +# The mapping from an application name to the corresponding configuration +# section must appear near the top of the file, (in what is sometimes called +# the "default section") prior to the start of any explicitly named +# "[sections]". The named sections can appear in any order and don't nest. +# +postfix = postfix_settings +[postfix_settings] +ssl_conf = postfix_ssl_settings +[postfix_ssl_settings] +system_default = baseline_postfix_settings +[baseline_postfix_settings] +MinProtocol = TLSv1 +</pre> +</blockquote> + +<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. </p> + + +</DD> + +<DT><b><a name="tls_config_name">tls_config_name</a> +(default: empty)</b></DT><DD> + +<p> The application name passed by Postfix to OpenSSL library +initialization functions. This name is used to select the desired +configuration "section" in the OpenSSL configuration file specified +via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. When empty, or when the +selected name is not present in the configuration file, the default +application name ("openssl_conf") is used as a fallback. </p> + +<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. </p> + + +</DD> + <DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a> (default: 32)</b></DT><DD> diff -ur --new-file /var/tmp/postfix-3.5.19/html/smtp.8.html ./html/smtp.8.html --- /var/tmp/postfix-3.5.19/html/smtp.8.html 2021-01-16 18:19:54.000000000 -0500 +++ ./html/smtp.8.html 2023-06-05 11:24:57.000000000 -0400 @@ -663,6 +663,15 @@ A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> + Optional configuration file with baseline OpenSSL settings. + + <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b> + The application name passed by Postfix to OpenSSL library ini- + tialization functions. + <b>OBSOLETE STARTTLS CONTROLS</b> The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff -ur --new-file /var/tmp/postfix-3.5.19/html/smtpd.8.html ./html/smtpd.8.html --- /var/tmp/postfix-3.5.19/html/smtpd.8.html 2022-02-05 18:29:54.000000000 -0500 +++ ./html/smtpd.8.html 2023-06-05 16:41:30.000000000 -0400 @@ -602,6 +602,15 @@ The email address form that will be used in non-debug logging (info, warning, etc.). + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> + Optional configuration file with baseline OpenSSL settings. + + <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b> + The application name passed by Postfix to OpenSSL library ini- + tialization functions. + <b>OBSOLETE STARTTLS CONTROLS</b> The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a @@ -902,6 +911,12 @@ to send to this service per time unit, regardless of whether or not Postfix actually accepts those commands. + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + <b><a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix</b> ><b>= 3.9: yes)</b> + Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321) + command pipelining constraints. + <b>TARPIT CONTROLS</b> When a remote SMTP client makes errors, the Postfix SMTP server can insert delays before responding. This can help to slow down run-away diff -ur --new-file /var/tmp/postfix-3.5.19/html/tlsproxy.8.html ./html/tlsproxy.8.html --- /var/tmp/postfix-3.5.19/html/tlsproxy.8.html 2021-01-16 18:19:55.000000000 -0500 +++ ./html/tlsproxy.8.html 2023-06-05 11:27:25.000000000 -0400 @@ -150,6 +150,15 @@ A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> + Optional configuration file with baseline OpenSSL settings. + + <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b> + The application name passed by Postfix to OpenSSL library ini- + tialization functions. + <b>STARTTLS SERVER CONTROLS</b> These settings are clones of Postfix SMTP server settings. They allow <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as diff -ur --new-file /var/tmp/postfix-3.5.19/man/man5/postconf.5 ./man/man5/postconf.5 --- /var/tmp/postfix-3.5.19/man/man5/postconf.5 2021-01-17 10:10:20.000000000 -0500 +++ ./man/man5/postconf.5 2023-06-05 16:58:30.000000000 -0400 @@ -10203,6 +10203,16 @@ parameter $name expansion. .PP This feature is available in Postfix 2.0 and later. +.SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes) +Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +command pipelining constraints. The server replies with "554 5.5.0 +Error: SMTP protocol synchronization" and logs the unexpected remote +SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" +to enable. This feature is enabled by default with Postfix >= +3.9. +.PP +This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. .SH smtpd_forbidden_commands (default: CONNECT, GET, POST) List of commands that cause the Postfix SMTP server to immediately terminate the session with a 221 code. This can be used to disconnect @@ -12814,6 +12824,104 @@ 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for backwards compatibility, to avoid breaking certificate verification with sites that don't use permit_tls_all_clientcerts. +.SH tls_config_file (default: default) +Optional configuration file with baseline OpenSSL settings. +OpenSSL loads any SSL settings found in the configuration file for +the selected application name (see tls_config_name) or else the +built\-in application name "openssl_conf" when no application name is +specified, or no corresponding configuration section is present. +.PP +With OpenSSL releases 1.1.1 and 1.1.1a, applications (including +Postfix) can neither specify an alternative configuration file, nor +avoid loading the default configuration file. +.PP +With OpenSSL 1.1.1b or later, this parameter may be set to one of: +.IP "\fBdefault\fR (default)" +Load the system\-wide +"openssl.cnf" configuration file. +.br +.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)" +This setting disables loading of the system\-wide "openssl.cnf" +file. +.br +.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)" +Load the configuration file specified by \fI/absolute\-path\fR. +With this setting it is an error for the file to not contain any +settings for the selected tls_config_name. There is no fallback to +the default "openssl_conf" name. +.br +.br +.PP +Failures in processing of the built\-in default configuration file, +are silently ignored. Any errors in loading a non\-default configuration +file are detected by Postfix, and cause TLS support to be disabled. +.PP +The OpenSSL configuration file format is not documented here, +beyond giving two examples. +.PP +Example: Default settings for all applications. +.sp +.in +4 +.nf +.na +.ft C +# The name 'openssl_conf' is the default application name +# The section name to the right of the '=' sign is arbitrary, +# any name will do, so long as it refers to the desired section. +# +# The name 'system_default' selects the settings applied internally +# by the SSL library as part of SSL object creation. Applications +# can then apply any additional settings of their choice. +# +# In this example, TLS versions prior to 1.2 are disabled by default. +# +openssl_conf = system_wide_settings +[system_wide_settings] +ssl_conf = ssl_library_settings +[ssl_library_settings] +system_default = initial_ssl_settings +[initial_ssl_settings] +MinProtocol = TLSv1.2 +.fi +.ad +.ft R +.in -4 +.PP +Example: Custom settings for an application named "postfix". +.sp +.in +4 +.nf +.na +.ft C +# The mapping from an application name to the corresponding configuration +# section must appear near the top of the file, (in what is sometimes called +# the "default section") prior to the start of any explicitly named +# "[sections]". The named sections can appear in any order and don't nest. +# +postfix = postfix_settings +[postfix_settings] +ssl_conf = postfix_ssl_settings +[postfix_ssl_settings] +system_default = baseline_postfix_settings +[baseline_postfix_settings] +MinProtocol = TLSv1 +.fi +.ad +.ft R +.in -4 +.PP +This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. +.SH tls_config_name (default: empty) +The application name passed by Postfix to OpenSSL library +initialization functions. This name is used to select the desired +configuration "section" in the OpenSSL configuration file specified +via the tls_config_file parameter. When empty, or when the +selected name is not present in the configuration file, the default +application name ("openssl_conf") is used as a fallback. +.PP +This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. .SH tls_daemon_random_bytes (default: 32) The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) process requests from the \fBtlsmgr\fR(8) server in order to seed its diff -ur --new-file /var/tmp/postfix-3.5.19/man/man8/smtp.8 ./man/man8/smtp.8 --- /var/tmp/postfix-3.5.19/man/man8/smtp.8 2021-01-16 18:19:54.000000000 -0500 +++ ./man/man8/smtp.8 2023-06-05 11:19:29.000000000 -0400 @@ -601,6 +601,13 @@ .IP "\fBtls_fast_shutdown_enable (yes)\fR" A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. +.PP +Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +.IP "\fBtls_config_file (default)\fR" +Optional configuration file with baseline OpenSSL settings. +.IP "\fBtls_config_name (empty)\fR" +The application name passed by Postfix to OpenSSL library +initialization functions. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff -ur --new-file /var/tmp/postfix-3.5.19/man/man8/smtpd.8 ./man/man8/smtpd.8 --- /var/tmp/postfix-3.5.19/man/man8/smtpd.8 2022-02-05 18:29:54.000000000 -0500 +++ ./man/man8/smtpd.8 2023-06-05 16:41:03.000000000 -0400 @@ -538,6 +538,13 @@ .IP "\fBinfo_log_address_format (external)\fR" The email address form that will be used in non\-debug logging (info, warning, etc.). +.PP +Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +.IP "\fBtls_config_file (default)\fR" +Optional configuration file with baseline OpenSSL settings. +.IP "\fBtls_config_name (empty)\fR" +The application name passed by Postfix to OpenSSL library +initialization functions. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf @@ -797,6 +804,11 @@ The maximal number of AUTH commands that any client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those commands. +.PP +Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +.IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR" +Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +command pipelining constraints. .SH "TARPIT CONTROLS" .na .nf diff -ur --new-file /var/tmp/postfix-3.5.19/man/man8/tlsproxy.8 ./man/man8/tlsproxy.8 --- /var/tmp/postfix-3.5.19/man/man8/tlsproxy.8 2021-01-16 18:19:54.000000000 -0500 +++ ./man/man8/tlsproxy.8 2023-06-05 11:20:16.000000000 -0400 @@ -150,6 +150,13 @@ .IP "\fBtls_fast_shutdown_enable (yes)\fR" A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. +.PP +Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +.IP "\fBtls_config_file (default)\fR" +Optional configuration file with baseline OpenSSL settings. +.IP "\fBtls_config_name (empty)\fR" +The application name passed by Postfix to OpenSSL library +initialization functions. .SH "STARTTLS SERVER CONTROLS" .na .nf diff -ur --new-file /var/tmp/postfix-3.5.19/mantools/postlink ./mantools/postlink --- /var/tmp/postfix-3.5.19/mantools/postlink 2021-01-16 17:31:12.000000000 -0500 +++ ./mantools/postlink 2023-06-05 16:34:00.000000000 -0400 @@ -548,6 +548,7 @@ s;\bsmtpd_etrn_restrictions\b;<a href="postconf.5.html#smtpd_etrn_restrictions">$&</a>;g; s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g; s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g; + s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g; s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g; s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g; s;\bsmtpd_helo_restrictions\b;<a href="postconf.5.html#smtpd_helo_restrictions">$&</a>;g; @@ -764,6 +765,8 @@ s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g; s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g; s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g; + s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g; + s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g; s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g; s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g; s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g; diff -ur --new-file /var/tmp/postfix-3.5.19/proto/postconf.proto ./proto/postconf.proto --- /var/tmp/postfix-3.5.19/proto/postconf.proto 2021-01-17 10:10:15.000000000 -0500 +++ ./proto/postconf.proto 2023-06-05 16:34:00.000000000 -0400 @@ -17760,3 +17760,114 @@ <p> This feature was backported from Postfix 3.6 to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. </p> + +%PARAM tls_config_name + +<p> The application name passed by Postfix to OpenSSL library +initialization functions. This name is used to select the desired +configuration "section" in the OpenSSL configuration file specified +via the tls_config_file parameter. When empty, or when the +selected name is not present in the configuration file, the default +application name ("openssl_conf") is used as a fallback. </p> + +<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. </p> + +%PARAM tls_config_file default + +<p> Optional configuration file with baseline OpenSSL settings. +OpenSSL loads any SSL settings found in the configuration file for +the selected application name (see tls_config_name) or else the +built-in application name "openssl_conf" when no application name is +specified, or no corresponding configuration section is present. +</p> + +<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including +Postfix) can neither specify an alternative configuration file, nor +avoid loading the default configuration file. </p> + +<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of: +</p> + +<dl> + +<dt> <b>default</b> (default) </dt> <dd> Load the system-wide +"openssl.cnf" configuration file. </dd> + +<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt> +<dd> This setting disables loading of the system-wide "openssl.cnf" +file. </dd> + +<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt> +<dd> Load the configuration file specified by <i>/absolute-path</i>. +With this setting it is an error for the file to not contain any +settings for the selected tls_config_name. There is no fallback to +the default "openssl_conf" name. </dd> + +</dl> + +<p> Failures in processing of the built-in default configuration file, +are silently ignored. Any errors in loading a non-default configuration +file are detected by Postfix, and cause TLS support to be disabled. +</p> + +<p> The OpenSSL configuration file format is not documented here, +beyond giving two examples. <p> + +<p> Example: Default settings for all applications. </p> + +<blockquote> +<pre> +# The name 'openssl_conf' is the default application name +# The section name to the right of the '=' sign is arbitrary, +# any name will do, so long as it refers to the desired section. +# +# The name 'system_default' selects the settings applied internally +# by the SSL library as part of SSL object creation. Applications +# can then apply any additional settings of their choice. +# +# In this example, TLS versions prior to 1.2 are disabled by default. +# +openssl_conf = system_wide_settings +[system_wide_settings] +ssl_conf = ssl_library_settings +[ssl_library_settings] +system_default = initial_ssl_settings +[initial_ssl_settings] +MinProtocol = TLSv1.2 +</pre> +</blockquote> + +<p> Example: Custom settings for an application named "postfix". </p> + +<blockquote> +<pre> +# The mapping from an application name to the corresponding configuration +# section must appear near the top of the file, (in what is sometimes called +# the "default section") prior to the start of any explicitly named +# "[sections]". The named sections can appear in any order and don't nest. +# +postfix = postfix_settings +[postfix_settings] +ssl_conf = postfix_ssl_settings +[postfix_ssl_settings] +system_default = baseline_postfix_settings +[baseline_postfix_settings] +MinProtocol = TLSv1 +</pre> +</blockquote> + +<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. </p> + +%PARAM smtpd_forbid_unauth_pipelining Postfix ≥ 3.9: yes + +<p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +command pipelining constraints. The server replies with "554 5.5.0 +Error: SMTP protocol synchronization" and logs the unexpected remote +SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" +to enable. This feature is enabled by default with Postfix ≥ +3.9. </p> + +<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. </p> diff -ur --new-file /var/tmp/postfix-3.5.19/src/global/mail_params.h ./src/global/mail_params.h --- /var/tmp/postfix-3.5.19/src/global/mail_params.h 2022-03-22 17:30:42.000000000 -0400 +++ ./src/global/mail_params.h 2023-06-05 17:44:55.000000000 -0400 @@ -2381,6 +2381,10 @@ #define DEF_SMTPD_PEERNAME_LOOKUP 1 extern bool var_smtpd_peername_lookup; +#define VAR_SMTPD_FORBID_UNAUTH_PIPE "smtpd_forbid_unauth_pipelining" +#define DEF_SMTPD_FORBID_UNAUTH_PIPE 1 +extern bool var_smtpd_forbid_unauth_pipe; + /* * Heuristic to reject unknown local recipients at the SMTP port. */ @@ -3263,8 +3267,17 @@ extern bool var_smtp_cname_overr; /* - * TLS cipherlists + * TLS library settings */ +#define VAR_TLS_CNF_FILE "tls_config_file" +#define DEF_TLS_CNF_FILE "default" +extern char *var_tls_cnf_file; + +#define VAR_TLS_CNF_NAME "tls_config_name" +#define DEF_TLS_CNF_NAME "" +extern char *var_tls_cnf_name; + + #define VAR_TLS_HIGH_CLIST "tls_high_cipherlist" #define DEF_TLS_HIGH_CLIST "aNULL:-aNULL:HIGH:@STRENGTH" extern char *var_tls_high_clist; diff -ur --new-file /var/tmp/postfix-3.5.19/src/postconf/postconf_edit.c ./src/postconf/postconf_edit.c --- /var/tmp/postfix-3.5.19/src/postconf/postconf_edit.c 2014-12-06 20:35:33.000000000 -0500 +++ ./src/postconf/postconf_edit.c 2023-05-17 14:43:08.000000000 -0400 @@ -192,6 +192,11 @@ } else { msg_panic("pcf_edit_main: unknown mode %d", mode); } + if ((cvalue = htable_find(table, pattern)) != 0) { + msg_warn("ignoring earlier request: '%s = %s'", + pattern, cvalue->value); + htable_delete(table, pattern, myfree); + } cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue)); cvalue->value = edit_value; cvalue->found = 0; @@ -459,8 +464,38 @@ /* * Match each service pattern. + * + * Additional care is needed when a request adds or replaces an + * entire service definition, instead of a specific field or + * parameter. Given a command "postconf -M name1/type1='name2 + * type2 ...'", where name1 and name2 may differ, and likewise + * for type1 and type2: + * + * - First, if an existing service definition a) matches the service + * pattern 'name1/type1', or b) matches the name and type in the + * new service definition 'name2 type2 ...', remove the service + * definition. + * + * - Then, after an a) or b) type match, add a new service + * definition for 'name2 type2 ...', but only after the first + * match. + * + * - Finally, if a request had no a) or b) type match for any + * master.cf service definition, add a new service definition for + * 'name2 type2 ...'. */ for (req = edit_reqs; req < edit_reqs + num_reqs; req++) { + PCF_MASTER_ENT *tentative_entry = 0; + int use_tentative_entry = 0; + + /* Additional care for whole service definition requests. */ + if ((mode & PCF_MASTER_ENTRY) && (mode & PCF_EDIT_CONF)) { + tentative_entry = (PCF_MASTER_ENT *) + mymalloc(sizeof(*tentative_entry)); + if ((err = pcf_parse_master_entry(tentative_entry, + req->edit_value)) != 0) + msg_fatal("%s: \"%s\"", err, req->raw_text); + } if (PCF_MATCH_SERVICE_PATTERN(req->service_pattern, service_name, service_type)) { @@ -506,18 +541,30 @@ * Replace entire master.cf entry. */ case PCF_MASTER_ENTRY: - if (new_entry != 0) - pcf_free_master_entry(new_entry); - new_entry = (PCF_MASTER_ENT *) - mymalloc(sizeof(*new_entry)); - if ((err = pcf_parse_master_entry(new_entry, - req->edit_value)) != 0) - msg_fatal("%s: \"%s\"", err, req->raw_text); + if (req->match_count == 1) + use_tentative_entry = 1; break; default: msg_panic("%s: unknown edit mode %d", myname, mode); } } + } else if (tentative_entry != 0 + && PCF_MATCH_SERVICE_PATTERN(tentative_entry->argv, + service_name, + service_type)) { + service_name_type_matched = 1; /* Sticky flag */ + req->match_count += 1; + if (req->match_count == 1) + use_tentative_entry = 1; + } + if (tentative_entry != 0) { + if (use_tentative_entry) { + if (new_entry != 0) + pcf_free_master_entry(new_entry); + new_entry = tentative_entry; + } else { + pcf_free_master_entry(tentative_entry); + } } } diff -ur --new-file /var/tmp/postfix-3.5.19/src/postconf/postconf_master.c ./src/postconf/postconf_master.c --- /var/tmp/postfix-3.5.19/src/postconf/postconf_master.c 2020-03-08 12:35:20.000000000 -0400 +++ ./src/postconf/postconf_master.c 2023-05-17 14:43:08.000000000 -0400 @@ -156,6 +156,7 @@ #include <readlline.h> #include <stringops.h> #include <split_at.h> +#include <dict_ht.h> /* Global library. */ @@ -393,12 +394,12 @@ concatenate("ro", PCF_NAMESP_SEP_STR, masterp->name_space, (char *) 0); masterp->argv = argv; masterp->valid_names = 0; + masterp->ro_params = dict_ht_open(ro_name_space, O_CREAT | O_RDWR, 0); process_name = basename(argv->argv[PCF_MASTER_FLD_CMD]); - dict_update(ro_name_space, VAR_PROCNAME, process_name); - dict_update(ro_name_space, VAR_SERVNAME, - strcmp(process_name, argv->argv[0]) != 0 ? - argv->argv[0] : process_name); - masterp->ro_params = dict_handle(ro_name_space); + dict_put(masterp->ro_params, VAR_PROCNAME, process_name); + dict_put(masterp->ro_params, VAR_SERVNAME, + strcmp(process_name, argv->argv[0]) != 0 ? + argv->argv[0] : process_name); myfree(ro_name_space); masterp->all_params = 0; return (0); diff -ur --new-file /var/tmp/postfix-3.5.19/src/smtp/smtp.c ./src/smtp/smtp.c --- /var/tmp/postfix-3.5.19/src/smtp/smtp.c 2021-01-16 11:30:07.000000000 -0500 +++ ./src/smtp/smtp.c 2023-06-05 11:07:48.000000000 -0400 @@ -567,6 +567,13 @@ /* .IP "\fBtls_fast_shutdown_enable (yes)\fR" /* A workaround for implementations that hang Postfix while shutting /* down a TLS session, until Postfix times out. +/* .PP +/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +/* .IP "\fBtls_config_file (default)\fR" +/* Optional configuration file with baseline OpenSSL settings. +/* .IP "\fBtls_config_name (empty)\fR" +/* The application name passed by Postfix to OpenSSL library +/* initialization functions. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff -ur --new-file /var/tmp/postfix-3.5.19/src/smtpd/smtpd.c ./src/smtpd/smtpd.c --- /var/tmp/postfix-3.5.19/src/smtpd/smtpd.c 2021-11-15 08:42:43.000000000 -0500 +++ ./src/smtpd/smtpd.c 2023-06-05 16:34:00.000000000 -0400 @@ -504,6 +504,13 @@ /* .IP "\fBinfo_log_address_format (external)\fR" /* The email address form that will be used in non-debug logging /* (info, warning, etc.). +/* .PP +/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +/* .IP "\fBtls_config_file (default)\fR" +/* Optional configuration file with baseline OpenSSL settings. +/* .IP "\fBtls_config_name (empty)\fR" +/* The application name passed by Postfix to OpenSSL library +/* initialization functions. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi @@ -751,6 +758,11 @@ /* The maximal number of AUTH commands that any client is allowed to /* send to this service per time unit, regardless of whether or not /* Postfix actually accepts those commands. +/* .PP +/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +/* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR" +/* Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +/* command pipelining constraints. /* TARPIT CONTROLS /* .ad /* .fi @@ -1436,6 +1448,7 @@ char *var_milt_unk_macros; char *var_milt_macro_deflts; bool var_smtpd_client_port_log; +bool var_smtpd_forbid_unauth_pipe; char *var_stress; char *var_reject_tmpf_act; @@ -5363,6 +5376,32 @@ static STRING_LIST *smtpd_noop_cmds; static STRING_LIST *smtpd_forbid_cmds; +/* smtpd_flag_ill_pipelining - flag pipelining protocol violation */ + +static int smtpd_flag_ill_pipelining(SMTPD_STATE *state) +{ + + /* + * This code will not return after I/O error, timeout, or EOF. VSTREAM + * exceptions must be enabled in advance with smtp_stream_setup(). + */ + if (vstream_peek(state->client) == 0 + && peekfd(vstream_fileno(state->client)) > 0) + (void) vstream_ungetc(state->client, smtp_fgetc(state->client)); + if (vstream_peek(state->client) > 0) { + if (state->expand_buf == 0) + state->expand_buf = vstring_alloc(100); + escape(state->expand_buf, vstream_peek_data(state->client), + vstream_peek(state->client) < 100 ? + vstream_peek(state->client) : 100); + msg_info("improper command pipelining after %s from %s: %s", + state->where, state->namaddr, STR(state->expand_buf)); + state->flags |= SMTPD_FLAG_ILL_PIPELINING; + return (1); + } + return (0); +} + /* smtpd_proto - talk the SMTP protocol */ static void smtpd_proto(SMTPD_STATE *state) @@ -5502,6 +5541,21 @@ #endif /* + * If the client spoke before the server sends the initial greeting, + * raise a flag and log the content of the protocol violation. This + * check MUST NOT apply to TLS wrappermode connections. + */ + if (SMTPD_STAND_ALONE(state) == 0 + && vstream_context(state->client) == 0 /* not postscreen */ + && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0 + && smtpd_flag_ill_pipelining(state) + && var_smtpd_forbid_unauth_pipe) { + smtpd_chat_reply(state, + "554 5.5.0 Error: SMTP protocol synchronization"); + break; + } + + /* * XXX The client connection count/rate control must be consistent in * its use of client address information in connect and disconnect * events. For now we exclude xclient authorized hosts from @@ -5728,16 +5782,11 @@ && (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0 || (cmdp->flags & SMTPD_CMD_FLAG_LAST)) && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0 - && (vstream_peek(state->client) > 0 - || peekfd(vstream_fileno(state->client)) > 0)) { - if (state->expand_buf == 0) - state->expand_buf = vstring_alloc(100); - escape(state->expand_buf, vstream_peek_data(state->client), - vstream_peek(state->client) < 100 ? - vstream_peek(state->client) : 100); - msg_info("improper command pipelining after %s from %s: %s", - cmdp->name, state->namaddr, STR(state->expand_buf)); - state->flags |= SMTPD_FLAG_ILL_PIPELINING; + && smtpd_flag_ill_pipelining(state) + && var_smtpd_forbid_unauth_pipe) { + smtpd_chat_reply(state, + "554 5.5.0 Error: SMTP protocol synchronization"); + break; } if (cmdp->action(state, argc, argv) != 0) state->error_count++; @@ -6400,6 +6449,7 @@ VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup, VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open, VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log, + VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe, 0, }; static const CONFIG_NBOOL_TABLE nbool_table[] = { diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls.h ./src/tls/tls.h --- /var/tmp/postfix-3.5.19/src/tls/tls.h 2023-01-28 10:42:43.000000000 -0500 +++ ./src/tls/tls.h 2023-06-05 11:07:48.000000000 -0400 @@ -77,6 +77,7 @@ #include <openssl/crypto.h> /* Legacy SSLEAY_VERSION_NUMBER */ #include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */ #include <openssl/ssl.h> +#include <openssl/conf.h> /* Appease indent(1) */ #define x509_stack_t STACK_OF(X509) @@ -362,6 +363,7 @@ * tls_misc.c */ extern void tls_param_init(void); +extern int tls_library_init(void); /* * Protocol selection. diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_client.c ./src/tls/tls_client.c --- /var/tmp/postfix-3.5.19/src/tls/tls_client.c 2023-01-21 16:00:03.000000000 -0500 +++ ./src/tls/tls_client.c 2023-06-05 11:07:48.000000000 -0400 @@ -345,6 +345,13 @@ #endif /* + * Initialize the OpenSSL library, possibly loading its configuration + * file. + */ + if (tls_library_init() == 0) + return (0); + + /* * Create an application data index for SSL objects, so that we can * attach TLScontext information; this information is needed inside * tls_verify_certificate_callback(). diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_misc.c ./src/tls/tls_misc.c --- /var/tmp/postfix-3.5.19/src/tls/tls_misc.c 2023-01-21 08:37:17.000000000 -0500 +++ ./src/tls/tls_misc.c 2023-06-05 11:09:45.000000000 -0400 @@ -29,6 +29,8 @@ /* #define TLS_INTERNAL /* #include <tls.h> /* +/* char *var_tls_cnf_file; +/* char *var_tls_cnf_name; /* char *var_tls_high_clist; /* char *var_tls_medium_clist; /* char *var_tls_low_clist; @@ -69,6 +71,8 @@ /* /* void tls_param_init() /* +/* int tls_library_init(void) +/* /* int tls_protocol_mask(plist) /* const char *plist; /* @@ -153,6 +157,9 @@ /* tls_param_init() loads main.cf parameters used internally in /* TLS library. Any errors are fatal. /* +/* tls_library_init() initializes the OpenSSL library, optionally +/* loading an OpenSSL configuration file. +/* /* tls_pre_jail_init() opens any tables that need to be opened before /* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT /* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal. @@ -272,6 +279,8 @@ /* * Tunable parameters. */ +char *var_tls_cnf_file; +char *var_tls_cnf_name; char *var_tls_high_clist; char *var_tls_medium_clist; char *var_tls_low_clist; @@ -599,6 +608,8 @@ { /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ static const CONFIG_STR_TABLE str_table[] = { + VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0, + VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0, VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0, VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0, @@ -642,6 +653,118 @@ get_mail_conf_bool_table(bool_table); } +/* tls_library_init - perform OpenSSL library initialization */ + +int tls_library_init(void) +{ + OPENSSL_INIT_SETTINGS *init_settings; + char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0; + char *conf_file = 0; + unsigned long init_opts = 0; + +#define TLS_LIB_INIT_TODO (-1) +#define TLS_LIB_INIT_ERR (0) +#define TLS_LIB_INIT_OK (1) + + static int init_res = TLS_LIB_INIT_TODO; + + if (init_res != TLS_LIB_INIT_TODO) + return (init_res); + + /* + * Backwards compatibility: skip this function unless the Postfix + * configuration actually has non-default tls_config_xxx settings. + */ + if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0 + && strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) { + if (msg_verbose) + msg_info("tls_library_init: using backwards-compatible defaults"); + return (init_res = TLS_LIB_INIT_OK); + } + if ((init_settings = OPENSSL_INIT_new()) == 0) { + msg_warn("error allocating OpenSSL init settings, " + "disabling TLS support"); + return (init_res = TLS_LIB_INIT_ERR); + } +#define TLS_LIB_INIT_RETURN(x) \ + do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0) + +#if OPENSSL_VERSION_NUMBER < 0x1010102fL + + /* + * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration + * files, disabling loading of the file, or getting strict error + * handling. Thus, the only supported configuration file is "default". + */ + if (strcmp(var_tls_cnf_file, "default") != 0) { + msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, " + "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file); + TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR); + } +#else + { + unsigned long file_flags = 0; + + /*- + * OpenSSL 1.1.1b or later: + * We can now use a non-default configuration file, or + * use none at all. We can also request strict error + * reporting. + */ + if (strcmp(var_tls_cnf_file, "none") == 0) { + init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG; + } else if (strcmp(var_tls_cnf_file, "default") == 0) { + + /* + * The default global config file is optional. With "default" + * initialisation we don't insist on a match for the requested + * application name, allowing fallback to the default application + * name, even when a non-default application name is specified. + * Errors in loading the default configuration are ignored. + */ + conf_file = 0; + file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE; + file_flags |= CONF_MFLAGS_DEFAULT_SECTION; + file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT; + } else if (*var_tls_cnf_file == '/') { + + /* + * A custom config file must be present, error reporting is + * strict and the configuration section for the requested + * application name does not fall back to "openssl_conf" when + * missing. + */ + conf_file = var_tls_cnf_file; + } else { + msg_warn("non-default %s = %s is not an absolute pathname, " + "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file); + TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR); + } + + OPENSSL_INIT_set_config_file_flags(init_settings, file_flags); + } +#endif + + if (conf_file) + OPENSSL_INIT_set_config_filename(init_settings, conf_file); + if (conf_name) + OPENSSL_INIT_set_config_appname(init_settings, conf_name); + + if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) { + if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0) + msg_warn("error loading the '%s' settings from the %s OpenSSL " + "configuration file, disabling TLS support", + conf_name ? conf_name : "global", + conf_file ? conf_file : "default"); + else + msg_warn("error initializing the OpenSSL library, " + "disabling TLS support"); + tls_print_errors(); + TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR); + } + TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK); +} + /* tls_pre_jail_init - Load TLS related pre-jail tables */ void tls_pre_jail_init(TLS_ROLE role) diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_proxy.h ./src/tls/tls_proxy.h --- /var/tmp/postfix-3.5.19/src/tls/tls_proxy.h 2019-02-11 08:30:11.000000000 -0500 +++ ./src/tls/tls_proxy.h 2023-06-05 11:07:48.000000000 -0400 @@ -44,6 +44,8 @@ * VAR_TLS_SERVER_SNI_MAPS. */ typedef struct TLS_CLIENT_PARAMS { + char *tls_cnf_file; + char *tls_cnf_name; char *tls_high_clist; char *tls_medium_clist; char *tls_low_clist; @@ -65,12 +67,13 @@ } TLS_CLIENT_PARAMS; #define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \ - a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \ + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \ (((params)->a1), ((params)->a2), ((params)->a3), \ ((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \ ((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \ ((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \ - ((params)->a16), ((params)->a17), ((params)->a18)) + ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \ + ((params)->a20)) /* * tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and @@ -216,6 +219,8 @@ /* * TLS_CLIENT_INIT_PROPS attributes. */ +#define TLS_ATTR_CNF_FILE "config_file" +#define TLS_ATTR_CNF_NAME "config_name" #define TLS_ATTR_LOG_PARAM "log_param" #define TLS_ATTR_LOG_LEVEL "log_level" #define TLS_ATTR_VERIFYDEPTH "verifydepth" diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_misc.c ./src/tls/tls_proxy_client_misc.c --- /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_misc.c 2019-02-11 08:39:43.000000000 -0500 +++ ./src/tls/tls_proxy_client_misc.c 2023-06-05 11:07:48.000000000 -0400 @@ -78,6 +78,8 @@ TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params) { TLS_PROXY_PARAMS(params, + tls_cnf_file = var_tls_cnf_file, + tls_cnf_name = var_tls_cnf_name, tls_high_clist = var_tls_high_clist, tls_medium_clist = var_tls_medium_clist, tls_low_clist = var_tls_low_clist, diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_print.c ./src/tls/tls_proxy_client_print.c --- /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_print.c 2020-06-19 13:39:34.000000000 -0400 +++ ./src/tls/tls_proxy_client_print.c 2023-06-05 11:07:48.000000000 -0400 @@ -95,6 +95,8 @@ msg_info("begin tls_proxy_client_param_print"); ret = print_fn(fp, flags | ATTR_FLAG_MORE, + SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file), + SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name), SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist), SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST, params->tls_medium_clist), diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_scan.c ./src/tls/tls_proxy_client_scan.c --- /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_scan.c 2021-04-03 12:13:35.000000000 -0400 +++ ./src/tls/tls_proxy_client_scan.c 2023-06-05 11:07:48.000000000 -0400 @@ -120,6 +120,8 @@ void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params) { + myfree(params->tls_cnf_file); + myfree(params->tls_cnf_name); myfree(params->tls_high_clist); myfree(params->tls_medium_clist); myfree(params->tls_low_clist); @@ -144,6 +146,8 @@ TLS_CLIENT_PARAMS *params = (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params)); int ret; + VSTRING *cnf_file = vstring_alloc(25); + VSTRING *cnf_name = vstring_alloc(25); VSTRING *tls_high_clist = vstring_alloc(25); VSTRING *tls_medium_clist = vstring_alloc(25); VSTRING *tls_low_clist = vstring_alloc(25); @@ -166,6 +170,8 @@ */ memset(params, 0, sizeof(*params)); ret = scan_fn(fp, flags | ATTR_FLAG_MORE, + RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file), + RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name), RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist), RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist), RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist), @@ -191,6 +197,8 @@ ¶ms->tls_multi_wildcard), ATTR_TYPE_END); /* Always construct a well-formed structure. */ + params->tls_cnf_file = vstring_export(cnf_file); + params->tls_cnf_name = vstring_export(cnf_name); params->tls_high_clist = vstring_export(tls_high_clist); params->tls_medium_clist = vstring_export(tls_medium_clist); params->tls_low_clist = vstring_export(tls_low_clist); @@ -205,7 +213,7 @@ params->tls_mgr_service = vstring_export(tls_mgr_service); params->tls_tkt_cipher = vstring_export(tls_tkt_cipher); - ret = (ret == 18 ? 1 : -1); + ret = (ret == 20 ? 1 : -1); if (ret != 1) { tls_proxy_client_param_free(params); params = 0; diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_server.c ./src/tls/tls_server.c --- /var/tmp/postfix-3.5.19/src/tls/tls_server.c 2023-01-28 10:42:43.000000000 -0500 +++ ./src/tls/tls_server.c 2023-06-05 11:07:48.000000000 -0400 @@ -387,6 +387,13 @@ #endif /* + * Initialize the OpenSSL library, possibly loading its configuration + * file. + */ + if (tls_library_init() == 0) + return (0); + + /* * First validate the protocols. If these are invalid, we can't continue. */ protomask = tls_protocol_mask(props->protocols); diff -ur --new-file /var/tmp/postfix-3.5.19/src/tlsproxy/tlsproxy.c ./src/tlsproxy/tlsproxy.c --- /var/tmp/postfix-3.5.19/src/tlsproxy/tlsproxy.c 2020-08-21 19:37:21.000000000 -0400 +++ ./src/tlsproxy/tlsproxy.c 2023-06-05 11:07:48.000000000 -0400 @@ -134,6 +134,13 @@ /* .IP "\fBtls_fast_shutdown_enable (yes)\fR" /* A workaround for implementations that hang Postfix while shutting /* down a TLS session, until Postfix times out. +/* .PP +/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +/* .IP "\fBtls_config_file (default)\fR" +/* Optional configuration file with baseline OpenSSL settings. +/* .IP "\fBtls_config_name (empty)\fR" +/* The application name passed by Postfix to OpenSSL library +/* initialization functions. /* STARTTLS SERVER CONTROLS /* .ad /* .fi
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor